Fujitsu Turns to Psychology to Battle Cyber-Attacks

The company is working on software that will identify users most vulnerable to attacks and scams and send customized warning messages to them.

Fujitsu engineers are working on technology that they say could reduce problems caused by the No. 1 vulnerability in cyber-attacks: the employee in front of the keyboard.
Despite all the products on the market today—from antivirus software to firewalls to virtual private networks (VPNs)—humans continue to be the key weakness in the security field. They click on malicious links in their email or go to the wrong Websites, potentially opening the floodgates to a cyber-attack.
"In recent years, cyber attacks have been growing increasingly sophisticated, with attacks designed to exploit the psychological vulnerabilities of targeted users to defraud them or infect their PCs with viruses, such as by setting traps in email messages or websites designed to appear to be from trusted sources in line with the targeted user's interests or job duties," Fujitsu officials said in a statement. "These kinds of attacks are often difficult to distinguish from ordinary network access, and are difficult to detect using conventional email filters and firewalls. Moreover, the accidental actions that are the main cause of information leaks will not simply go away."
Because of this, it's becoming increasingly important to figure out which users are most vulnerable to these types of attacks and develop security measures that can be customized to individuals based on their level of risk. Fujitsu officials believe they are on the way to developing such a product. The Japanese tech giant outlined details of the technology Jan. 20 at the Symposium on Cryptography and Information Security show in Japan.

Fujitsu and Fujitsu Laboratories are using the results of a questionnaire and activity logs of PCs to analyze the psychological traits of employees who are prone to clicking on the malicious link or the dangerous Website, opening themselves up to viruses, scams and data breaches. The vendor sent questionnaires to 2,000 employees in Japan, half of whom had experienced a cyber-attack.

"The results of the analysis showed, for example, that people who prioritized benefits over risks (benefit-oriented people) were more vulnerable to virus attacks, and that people who were highly confident in their own ability to use a computer were at higher risk for data leakage," officials said in the statement.
The company has created software that officials said calculates the risk a user runs of launching a cyber-attack based on the user's behavior by making connections between his or her behavioral characteristics at the computer and the psychological traits that make the user vulnerable to attacks. In developing the software, Fujitsu created a tool to log a user's computer activity—such as email traffic, Web browsing, and keyboard and mouse activities—and another tool to create false errors, such as the computer freezing up.
"Approximately 250 employees of Fujitsu filled out questionnaires, and this information was used to analyze and quantify the relationship between the psychological traits and behavior of a user vulnerable to attacks," officials said. "For example, it was found that users who are highly confident in their ability to use a computer would often perform keyboard actions when the false freezes occurred, whereas benefit-oriented users would spend little time reading privacy policies."
Fujitsu engineers said their software could be used to customize security measures for individual users. For example, users who are found to click on malicious links in phishing emails could see a warning message pop up before the click on the URL. Another example would be an increase in the threat level of "suspicious email messages sent between departments with people who are especially vulnerable to being scammed," they said.
Officials with Fujitsu and Fujitsu Labs said they hope to get the technology on the market in 2016.